platformSpecOpts adds additional runtime spec options that may rely on runtime information (rootfs mounted), or platform specific checks with no defined workaround (yet) to specify for other platforms.
( platform imagespec.Platform, config *runtime.ContainerConfig, imageConfig *imagespec.ImageConfig, )
| 593 | // runtime information (rootfs mounted), or platform specific checks with |
| 594 | // no defined workaround (yet) to specify for other platforms. |
| 595 | func (c *criService) platformSpecOpts( |
| 596 | platform imagespec.Platform, |
| 597 | config *runtime.ContainerConfig, |
| 598 | imageConfig *imagespec.ImageConfig, |
| 599 | ) ([]oci.SpecOpts, error) { |
| 600 | var specOpts []oci.SpecOpts |
| 601 | |
| 602 | // First deal with the set of options we can use across platforms currently. |
| 603 | // Linux user strings have workarounds on other platforms to avoid needing to |
| 604 | // mount the rootfs, but on Linux hosts it must be mounted |
| 605 | // |
| 606 | // TODO(dcantah): I think the seccomp package can be made to compile on |
| 607 | // !linux and used here as well. |
| 608 | if platform.OS == "linux" { |
| 609 | // Set container username. This could only be done by containerd, because it needs |
| 610 | // access to the container rootfs. Pass user name to containerd, and let it overwrite |
| 611 | // the spec for us. |
| 612 | securityContext := config.GetLinux().GetSecurityContext() |
| 613 | userstr, err := util.GenerateUserString( |
| 614 | securityContext.GetRunAsUsername(), |
| 615 | securityContext.GetRunAsUser(), |
| 616 | securityContext.GetRunAsGroup()) |
| 617 | if err != nil { |
| 618 | return nil, fmt.Errorf("failed to generate user string: %w", err) |
| 619 | } |
| 620 | if userstr == "" { |
| 621 | // Lastly, since no user override was passed via CRI try to set via OCI |
| 622 | // Image |
| 623 | userstr = imageConfig.User |
| 624 | } |
| 625 | if userstr != "" { |
| 626 | specOpts = append(specOpts, oci.WithUser(userstr)) |
| 627 | } |
| 628 | } |
| 629 | |
| 630 | // Now grab the truly platform specific options (seccomp, apparmor etc. for linux |
| 631 | // for example). |
| 632 | ctrSpecOpts, err := c.containerSpecOpts(config, imageConfig) |
| 633 | if err != nil { |
| 634 | return nil, err |
| 635 | } |
| 636 | specOpts = append(specOpts, ctrSpecOpts...) |
| 637 | |
| 638 | return specOpts, nil |
| 639 | } |
| 640 | |
| 641 | // buildContainerSpec build container's OCI spec depending on controller's target platform OS. |
| 642 | func (c *criService) buildContainerSpec( |